Home Malware Programs Ransomware Scarab Ransomware

Scarab Ransomware

Posted: June 14, 2017

Threat Metric

Threat Level: 10/10
Infected PCs: 4,113
First Seen: June 14, 2017
Last Seen: May 24, 2023
OS(es) Affected: Windows

The Scarab Ransomware is a Trojan that may block your files from opening and demands money to restore them. Free decryption software sometimes can reverse these attacks, although our malware researchers recommend keeping backups for the best chance of a full recovery. PCs benefiting from anti-malware protection may delete the Scarab Ransomware before it starts to encrypt any media, although security products also may uninstall it afterward.

Copycat Lawbreakers with a Little Polish on Top

While their inventiveness often is a hallmark of media depictions, not all threat actors are creative necessarily, either as programmers or con artists. In particular, Trojans who do little more than reuse old features and drop components from dead campaigns are commonplace within the segment of the threat sector that abuses data encryption. Malware researchers found a slightly more interesting than usual example with the Scarab Ransomware.

The Scarab Ransomware's campaign is in its birthing stage, and the Trojan may not be ready for immediate distribution necessarily, as of mid-June. Features of the Scarab Ransomware that malware researchers recommend that you expect include:

  • The Scarab Ransomware may use any of several encryption methods (such as XOR or Rijndael) to lock your media, including documents, pictures, archives, and audio. The Trojan inserts '.scarab' extensions into every name, to give you a way of detecting the now-unusable files.
  • Encrypted media also is subjected to a second modification: overwriting the original names with pseudo-random characters in patterns suggestive of Base64 encoding. Similar functionality is verifiable through malware researchers for other threats, like the Spectre Ransomware, although there are no definitive ties between these campaigns.
  • The Scarab Ransomware's most identifying symptom is the Notepad message it places on your PC, either on the desktop or in directories that contain your ciphered media. The English text includes some contents copied from other, file-encrypting attacks, such as suggesting that the encryption is due to a generic 'security problem.' Other aspects of this ransoming note are semi-original, including some effort put into formatting, to improve the overall appearance and legibility.

The Perfect Poison for an Intruding Bug

The Scarab Ransomware campaign may use English for no greater reason than to guarantee its universal compatibility with most countries. Some of its filenames imply that either the threat actors or the target region of interest are Russian. Malware researchers are hesitant to denote any individual infection vector for the Scarab Ransomware, which may use installation exploits that range from e-mail attachments to corrupted Web page scripts, or even brute-forcing attacks.

In spite of the few added minutes of work its authors put into its ransoming persuasion presumably, paying the Scarab Ransomware's Bitcoin fee is the least reliable strategy for unlocking your files. Copy any encrypted files and use free decryption software to test it for compatibility, if you have no other options. Backups are the traditional way of limiting data loss from any file-encrypting Trojan, assuming that your anti-malware protection doesn't remove the Scarab Ransomware on sight.

The Scarab Ransomware is careful to warn against using any way of retrieving your files that would let you avoid its ransom. Since a Bitcoin transaction requires consent from both parties to refund, ignoring both your backup schedule and your PC's security can be a high-priced pair of mistakes.

Update November 10th, 2018 — 'dou876sh@tuta.io' Ransomware

The 'dou876sh@tuta.io' Ransomware is one of the latest updates to the infamous Scarab Ransomware family. Thankfully, this recent variant does not feature any major innovations regarding functionality, and the changes only concern the ransom note, contact details, and the extension used to mark the locked files. The files damaged by the 'dou876sh@tuta.io' Ransomware will have their names changed to include the ‘.crypted034’ extension (e.g. ‘document.docx’ will be renamed to ‘document.docx.crypted034’).

The cybercrooks behind the 'dou876sh@tuta.io' Ransomware are likely to distribute their harmful application with the help of cleverly crafted email messages, which are designed to trick users into thinking that they were dispatched by a legitimate company or institution. Often, these emails may contain a download link or file attachment that is deemed important, but its sole purpose is to deploy the 'dou876sh@tuta.io' Ransomware.

If a user ends up downloading the 'dou876sh@tuta.io' Ransomware and does not have a reputable anti-virus program in place to stop the attack, they may lose the majority of their important files instantly This file-encryption Trojan locks documents, spreadsheets, videos, photos, music and many other file types. Just like other file-lockers, the 'dou876sh@tuta.io' Ransomware also makes sure to drop a ransom note that provides the victims with contact details and data recovery instructions. The 'dou876sh@tuta.io' Ransomware’s message is stored in the file ‘HOW TO RECOVER ENCRYPTED FILES.txt,’ and it contains the emails dou876sh@tuta.io and dou876sh@mail.ee as the only way to get in touch with the attackers. Surprisingly, the ransom note does not specify the amount of money the attackers demand, but it does mention that Bitcoin is the only acceptable form of payment.

Regardless of the amount of money the authors of the 'dou876sh@tuta.io' Ransomware demand, we assure you that paying them even a single cent would be a mistake. Cybercriminals are certainly not known for their honesty so that you should not expect the 'dou876sh@tuta.io' Ransomware’s authors to provide you with a decryption tool if you send them the money.

The suggestion to the victims of the 'dou876sh@tuta.io' Ransomware is to remove the harmful file-locker by running a trustworthy anti-malware scanner that should be able to identify and eradicate every file linked to the infection. When this task is complete, it is recommended to try and run data recovery software, since it might be able to recover some of the locked files. Do not forget that the only guaranteed way to get your files back is to restore them from a backup – an option that might not be available to all victims.

Update November 26th, 2018 — 'lolitahelp@cock.li' Ransomware

Cybersecurity experts detected a new Scarab Ransomware variant called the 'lolitahelp@cock.li' Ransomware. After encrypting the files on the infected computer, the 'lolitahelp@cock.li' Ransomware will add a new extension '.lolita' to them. A text file containing the ransom note with instructions from the criminals behind the 'lolitahelp@cock.li' Ransomware called 'How to restore files.TXT' also will be created.

The criminals urge the affected users to contact them as fast as possible because this will determine the price for the decryption of the files. To do so, two emails have been provided - 'lolitahelp@cock.li' and 'lolitahelp@protonmail.com.' As usual, the payment is supposed to be made in Bitcoins. To demonstrate their ability to restore the encrypted files, the creators of the 'lolitahelp@cock.li' Ransomware allow the users to send three files that do not exceed 10Mb to be decrypted for free.

The text of the ransom note is:

'Your files are now encrypted!
Your personal identifier:
[random characters]

Update November 27th, 2018 — 'wewillhelp@airmail.cc' Ransomware

The 'wewillhelp@airmail.cc' Ransomware is a new Scarab-Bomber Ransomware variant that has been unleashed in the wild. The 'wewillhelp@airmail.cc' Ransomware encrypts the user's files with the AES-256-CBC encryption and renders them unusable. The ransom note can be found in a newly created text file called 'HOW TO RECOVER ENCRYPTED FILES.TXT.' The note doesn't mention a specific sum for decryption, but it does clarify that the longer the affected users hesitate to contact the criminals, more Bitcoins they will have to pay. The victims of the 'wewillhelp@airmail.cc' Ransomware are told to send an email to 'wewillhelp@airmail.cc.'

If that account gets shut down, the criminals direct the victims to use jabber(XMPP) as the means of communication. The Pidgin account is 'helpersmasters@xmpp.jp.' The ransom note provides detailed instructions on what to do:

'Your files are now encrypted!
Your personal identifier:
[random characters]
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins.
The price depends on how fast you write to us.
After payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: wewillhelp@airmail.cc
If you don't get a reply for 12 hours or if the email dies, then contact us using jabber(XMPP).
Download it form here: https://www.pidgin.im/ install it Next download https://otr.cypherpunks.ca/ install it
Register here - https://www.xmpp.jp/signup?lang=en
In pidgin turn on module OTR After write us in pidgin - helpersmasters@xmpp.jp (It is not a mail,xmpp)
Free decryption as guarantee! Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.).

Doing what the cybercriminals want is not recommended. Instead, remove the 'wewillhelp@airmail.cc' Ransomware with a legitimate anti-malware solution and restore the files from a backup drive.

Update November 26th, 2018 — 'stevenseagal@airmail.cc' Ransomware

A recent variant of the Scarab ransomware adds a 'stevenseagal@airmail.cc' extension to each encrypted file. The ransom note shows up in a text file dubbed 'HOW TO RECOVER ENCRYPTED FILES.TXT' and demands that the victims contact the cybercriminals behind this Scarab incarnation, sending their unique identifiers either via email or through a Jabber account. The former is, in fact, the aforementioned extension appended to all encrypted data, while the latter goes by the name of helpersmasters(et)xmpp.jp. The required ransom is payable in Bitcoins, but the affected users will not learn the exact amount unless they submit their identifiers. The crooks are generous enough to decrypt up to 3 randomly picked files as long as they neither exceed 10Mb in size nor contain information of great importance. The ransom note generated by the 'stevenseaga(et)airmail.cc' ransomware implies that the infection occurred 'due to a security problem with your PC.' It does not reveal the encryption algorithm used. The 'Stevenseagal(et)airmail.cc' exploits similar infection vectors to those found in earlier Scarab ransomware strains.

Update November 29th, 2018 — 'online24files@airmail.cc' Ransomware

The 'online24files@airmail.cc' Ransomware is a part of the Scarab Ransomware family that locks files for ransoms. Infections will come with symptoms including non-opening media files (such as documents), deleted Windows backups, extensions added to your files and text ransoming messages. Avoiding saving all of your backups to a local drive and having anti-malware products for uninstalling the 'online24files@airmail.cc' Ransomware are the ideal security countermeasures.

Trojans with Deadlines Coming Back for More of Your Money

The social-engineering technique of convincing victims into paying quickly before risking losing all of their media is one that malware researchers see in multiple campaigns, such as, most relevantly, that of the Scarab-Danger Ransomware, an English member of the Scarab Ransomware's family. Nearly half a year later, threat actors are circulating a new version of the file-locking Trojan that, like it, combines timed pressure and Jabber-based negotiating platforms. The 'online24files@airmail.cc' Ransomware is, in other areas of its payload, very similar to relatives like the Scarab-Rebus Ransomware, the Scarab-Leen Ransomware or the Scarab-Horsia Ransomware.

The 'online24files@airmail.cc' Ransomware's family uses AES-based encryption algorithms as the preferred means of 'locking' files consistently by converting them into encrypted formats. Along with this alteration of file data, which targets widely-in-use media like documents, archives and pictures, the 'online24files@airmail.cc' Ransomware also appends the e-mail address from its name (instead of a Jabber address, as the Scarab-Danger Ransomware did).

While doing so, the 'online24files@airmail.cc' Ransomware also deletes the Windows backups for blocking any easy attempts at restoring your files, and deposits a Notepad text message, which is a mild update from the Scarab-Danger Ransomware's equivalent one. Its ransoming instructions for the criminal's unlocker, still, encourages using Jabber and retains the three-day deadline on paying – which malware experts continue discouraging as a reliable recovery solution.

Exterminating New Beetles as They Run for Your Files

There is no free decryption software for most versions of the Scarab Ransomware family, including both its Russian-oriented members and the English ones like the 'online24files@airmail.cc' Ransomware. However, an AV vendor is offering a premium equivalent that victims may make use of, instead of paying the threat actor's ransoming demands. For their part, malware experts recommend heavily saving a backup of all files to a separate and secure device, such as a detached USB.

Threat actors using different members of the Scarab Ransomware Ransomware-as-a-Business service will, frequently, exploit Remote Desktop vulnerabilities on servers, as well as brute-force tools that 'hack' weak admin logins. Managing passwords and network settings properly will keep your network from being vulnerable. For average Windows users, most anti-malware products should block and delete the 'online24files@airmail.cc' Ransomware through all other infection vectors.

'Pay quickly, or else' is a theme among some file-locker Trojans that can be efficient at getting the users into poverty without a good rationale. Rewarding the 'online24files@airmail.cc' Ransomware's authors by buying a decryptor that you might not get is a haphazard solution to an easily-preventable problem.

Update December 4th, 2018 — 'server.recover@mail.ru' Ransomware

The 'server.recover@mail.ru' Ransomware is a member of the Scarab Ransomware family, and it uses a new extension and contact email, which can be found in the default ransom note file used by the Scarab Ransomware – ‘HOW TO RECOVER ENCRYPTED FILES.txt.’ When the 'server.recover@mail.ru' Ransomware initializes its attack, it will attempt to encrypt the contents of all documents, images, videos, archives, databases, spreadsheets, and other commonly used file types that it finds on the compromised system. The locked files also may have their names altered by adding the ‘.danger’ extension after the original file extension (e.g. ‘photo.png’ will be renamed to ‘photo.png.danger’).

To increase the damage it inflicts, the 'server.recover@mail.ru' Ransomware also might create a Registry key, which ensures that the ransomware will be launched again when the computer restarts, therefore allowing it to encrypt new files. Furthermore, Scarab variants like this one are known for disabling the System Restore service and deleting the Shadow Volume Copies that might be used to recover the files partially.

It is likely that the payload of the 'server.recover@mail.ru' Ransomware is being spread via spam emails so that we advise you to be very careful if you review an email that was sent to you by an unknown contact. Often, the unsafe payload might be disguised as a harmless file attachment so that you need to think twice before downloading unknown email attachments. The best way to ensure the safety of your files is to remember to perform file backups to an offline or cloud storage regularly. In addition to this, it is recommended to keep your system protected by an up-to-date anti-malware tool.

If the 'server.recover@mail.ru' Ransomware has locked up your files already, then you might have seen the message left by the attackers – they promise a swift recovery as soon as you agree to send a ransom payment to the Bitcoin wallet provided by them. We assure you that negotiating with cybercriminals is an activity that you should avoid at all costs, because the 'server.recover@mail.ru' Ransomware’s authors may trick you easily.

Update December 12th, 2018 — Scarab-Crypted034 Ransomware

The Scarab-Crypted034 Ransomware is a file-locker Trojan that can encrypt different media formats as a way of locking them and stopping their opening. As a branch of the Scarab Ransomware family, the Scarab-Crypted034 Ransomware may circulate with the help of brute-force attacks aimed at cracking login credentials, as well as erase your default backups. Update any anti-malware solution you have available for removing the Scarab-Crypted034 Ransomware quickly and accurately, and back your work up for its protection.

The Beetle Army Gets One Member Stronger

File-locker Trojans from the ranks of the Scarab Ransomware are responsible for more attacks against unknown victims, although the payloads imply that English-speaking nations are the threat actors' targets. The Scarab-Crypted034 Ransomware is little different from other members of the English side of this family, such as the Scarab-DD Ransomware, the Scarab-Good Ransomware, the Scarab-Barracuda Ransomware, and its predecessor, the Scarab-Rebus Ransomware. This Ransomware-as-a-Service threat is, like the other ones that malware experts inspect, capable of converting most widely-used file types into unreadable formats.

Encryption attacks from the Scarab-Crypted034 Ransomware and the rest of its family are AES-based, using one of the most typical algorithms for enciphering data and stopping it from opening. While this feature, at first, converts data without a UI or other, visibly-evident symptoms, it also tags the files afterward by giving them a different extension, which, in this case, is the '.crypted034' string. Like other Scarab Ransomware releases, the Trojan replaces the rest of the name, as well.

Although some aspects of the Scarab-Crypted034 Ransomware's typo-riddled credentials imply that it may be pretending that it's pulse computation software, this disguise isn't likely of correlating with its installation exploits. Threat actors deploy members of the Scarab Ransomware family onto networks within the business sector regularly after brute-forcing their logins or sending corrupted e-mail attachments. Securing your login credentials appropriately and scanning suspicious e-mail files are steps that malware experts encourage using at all times for hampering any attacks.

The 'Security Problem' that's Preventable Easily

The Scarab-Crypted034 Ransomware's family is famous for the copy-pasted template of many of its ransom notes, which warn the victim of a 'security problem' with the PC, along with providing the ransoming information. Users should test other decryption methods, if called for, before considering the ransom, which rewards the criminal's campaign and furthers the profitability of the RaaS industry. While one AV company does offer a decryption service for the Scarab Ransomware, it may or may not be compatible with the encrypted media that new releases like the Scarab-Crypted034 Ransomware block.

Malware researchers also discourage being too reliant on local backups, such as the Shadow Volume snapshots or Shadow Volume Copies, that the Scarab-Crypted034 Ransomware would delete by default. Backing up work to other systems or storage devices will help preserve it from encryption attacks, deletion or data corruption. Users protecting their Windows PCs with compatible anti-malware programs should be deleting the Scarab-Crypted034 Ransomware immediately, regardless.

The aftermath of healing from the Scarab-Crypted034 Ransomware infections includes, not just getting your files returned, but, also, re-enabling disabled security features and working around missing backup data. It's simpler than that to use proper anti-malware protection, schedule backup routines, and mind the most correctible infection vectors.

Update December 19th, 2018 — 'aztecdecrypt@protonmail.com' Ransomware

The Scarab Ransomware’s family expansion continues with the 'aztecdecrypt@protonmail.com' Ransomware, a file-locker, which is impossible to decrypt via free methods. The victims of the 'aztecdecrypt@protonmail.com' Ransomware
might not be able to recover their files for free because of the extra measures that this file-locker takes to make file recovery more difficult. When the 'aztecdecrypt@protonmail.com' Ransomware completes the file-encryption task, it may proceed to use the integrated Windows system tools to wipe all the Shadow Volume Copies (used for the System Restore), and then disable the Windows System Restore service. These measures reduce the victim’s chances of restoring their data via free software greatly and make it more likely that they will consider cooperating with the 'aztecdecrypt@protonmail.com' Ransomware’s authors.

The attack of this file-encryption Trojan may not be impossible to spot at first, and victims are likely to learn about it when they see that the majority of their files cannot be accessed. All the files that the 'aztecdecrypt@protonmail.com' Ransomware takes hostage will be marked with the ‘.aztecdcecrypt@protonmail.com’ extension. In addition to encrypting and renaming the files, the 'aztecdecrypt@protonmail.com' Ransomware also will create the ransom note ‘HOW TO DECRYPT FILES.txt’ and place it on the desktop. The message of the attacker reads that the victims will need to message either aztecdecrypt@protonmail.com or aztecdecryptor@mailfence.com if they wish to have a chance to recover their files. Unfortunately, trying to negotiate with the perpetrators of the attack is unlikely to be successful, since they will demand to be paid in exchange for their decryption service.

The authors have not specified the amount of money they want for their decryption service, but you can rest assured that the cost will be significant. Even if you can afford to pay the attackers, we would not suggest doing so because they may trick you by taking your money and not providing you with anything in return.

While the recovery of the files locked by the 'aztecdecrypt@protonmail.com' Ransomware is impossible at the moment, there are still some things that the victims need to do. The top priority is to ensure the 'aztecdecrypt@protonmail.com' Ransomware’s removal by using a trustworthy anti-malware scanner. After your anti-virus program has cleaned your computer off of the harmful files, you should try and see if any 3rd-party data recovery software can help you get at least a fraction of your files back.

Update January 2nd, 2019 — Scarab-nano Ransomware

Security researchers have found a newly released variant of the Scarab Ransomware using a new ransomware extension – ‘.rap.’ The ransom note's name carries the name "HOW TO RECOVER ENCRYPTED FILES.TXT." The email for contacting the people behind the new variant is ‘rapid.supp[at]qq[dot]com.’

The ransom note reads as the following:

"Your files are now encrypted!
All your files have been encrypted due to a security problem with your PC.
Now you should send us email with your personal identifier.
This email will be as confirmation you are ready to pay for decryption key.
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us.
After Payment we will send you the decryption tool that will decrypt all your files.
Contact us using this email address: rapid.supp[at]qq[dot]com
Free decryption as guarantee!
Before paying you can send us up to 3 files for free decryption.
The total size of files must be less than 10Mb (non archived), and files should not contain valuable information (databases, backups, large excel sheets, etc.)."

Instructions on how to purchase the Bitcoin cryptocurrency and warnings against renaming files and decryption with third-party software follow in the ransom note.

Update January 3rd, 2019 — Scarab-nano Ransomware

The Scarab-nano Ransomware is the latest addition to the list of file-lockers based on the code of the Scarab Ransomware family. Unfortunately, this version also is impossible to decrypt via free utilities, and its victims might need to look into alternative data restoration options that are not guaranteed to work reliably. The consequences of the Scarab-nano Ransomware’s attack are always the same – a hard drive full of locked files whose names have been modified to include the ‘.nano’ extension. In addition to this change, the Scarab-nano Ransomware also will drop the ransom message ‘RECOVER ENCRYPTED FILES.txt,’ which aims to supply the users with instructions on what steps they need to take if they wish to be able to access their files again.

The bad news is that the instructions supplied by the authors of the Scarab-nano Ransomware are not full and, instead, they focus on informing the victim that they will need to pay an expensive ransom sum in exchange for a decryptor. The ransom note also includes the email private-key@foxmail.com, which can be used to contact the perpetrators.

If you think that the Scarab-nano Ransomware has your files in its grip, then we advise you to ignore the instructions of the attackers. Although they promise to provide you with a decryptor as soon as they receive the ransom payment, there is no way to be sure that they will not try to trick you out of your money. Instead of trusting anonymous cybercrooks, you should use a reputable anti-malware tool to dispose of the Scarab-nano Ransomware’s files and then look into alternative file recovery techniques.

Update January 16th, 2019 - Scarab-krab Ransomware

The Scarab-krab Ransomware is an update to the Scarab Ransomware family, but it does not introduce any improvements in terms of features. Instead, the Scarab-krab Ransomware simply uses a different extension to mark the locked files, and it also provides the victims with new contact details that the victims must take advantage of if they wish to get their files back. Unfortunately, contacting the operators of the Scarab-krab Ransomware is not likely to help you get your files back, because they will demand a significant sum in exchange for their decryptor. Even if you opt to pay them, there is no guarantee that you will get what you were promised.

The harmful executable file that initializes the Scarab-krab Ransomware might be propagated via cleverly designed emails whose objective is to trick the user into downloading a file attachment that is supposed to include important details. However, instead of a legitimate invoice, bill, document or CV, the victim might end up downloading a macro-laced Microsoft Office document, which is programmed to unpack and execute the Scarab-krab Ransomware’s payload.

When this ransomware is active, it will begin to work in the background and encrypt documents, videos, images, archives, databases, and many other file types. All encrypted files will have their names modified by the addition of the ‘.[[crab1917@gmx.de]].krab’ extension. The Scarab-krab Ransomware’s ransom note is dropped in the file ‘!!! RETURN YOUR FILES !!!.txt’ and it usually can be found on the desktop after the attack is complete. The instructions state that the victims must message either crab1917@gmx.de or crab1917@protonmail.com for further instructions and payment information.

We do not recommend trying to seek help from the Scarab-krab Ransomware’s operators because they are not to be trusted. Instead of trying to cooperate with anonymous cybercriminals, you should take the required steps to eliminate the Scarab-krab Ransomware with the use of a credible anti-malware scanner. When this task is accomplished, you should start looking into alternative data recovery techniques.

Update January 17th, 2019 - Scarab-krab Ransomware

The Scarab-Zzz Ransomware is a file-encryption Trojan based on the Scarab Ransomware project. Although security researchers have spent over a year dealing with different variations of the Scarab Ransomware family, it is still not possible to provide a free decryptor for this file-encryption Trojan. If you are a victim of the Scarab-Zzz Ransomware, then it is likely that this file-locker has taken a significant number of your files as a hostage – it locks documents, images, videos, archives, backups, spreadsheets and other popular file formats.

All the files that the Scarab-Zzz Ransomware encrypts will have the ‘.zzzzzzzz’ extension added to the end of their names. The last stage of the attack will create the ransom message ‘HOW TO RECOVER ENCRYPTED FILES.txt,’ which contains file decryption instructions and contact details. Unsurprisingly, the operators of the Scarab-Zzz Ransomware are not willing to help for free – instead, they want to receive a hefty amount of money in exchange for their decryptor. The contact details used by the Scarab-Zzz Ransomware’s authors are the emails rohitramses@protonmail.com and rohitramses@tutanota.com.

The attackers may spread the Scarab-Zzz Ransomware with the help of fraudulent emails that look as if they contain a legitimate document but, in reality, their sole purpose is to bring the Scarab-Zzz Ransomware’s payload. If you suspect that the Scarab-Zzz Ransomware has locked your files, then we advise you not to panic despite the severity of the situation. You should remember that paying the attackers is a horrible idea, and you should never agree to do it – instead, you should remove the Scarab-Zzz Ransomware with the help of a trustworthy anti-malware application immediately and then look into 3rd-party data recovery options. However, a free decryptor is not available, and data recovery software might not get all your files back.

Update January 29th, 2019 - Scarab-Joke Ransomware

The Scarab Ransomware family has a new member, and it is called the Scarab-Joke Ransomware – which is a file-locker that uses the same file-encryption algorithm as all other variants of Scarab. Unfortunately, recovering from the Scarab-Joke Ransomware’s attack is not a simple task, and many users might end up losing a lot of their files if they do not have the habit of creating a backup copy of their important files.

The Scarab-Joke Ransomware’s attack will leave a lot of files marked with the ‘.joke’ extension, therefore helping the user spot the files that they will not be able to access swiftly due to the infection. After the Scarab-Joke Ransomware locks all suitable file formats, it drops the ransom message ‘HOW TO RECOVER ENCRYPTED FILES.txt,’ which provides the victim with data recovery instructions. Unfortunately, the solution the attackers propose is quite costly, and the victims will be asked to pay a few hundred dollars (via Bitcoin) in exchange for a decryptor.

Apart from the demands of the attackers, the ransom note also contains the emails projectjoke@india.com and projectjoke@aol.com that can be used to reach the perpetrators. Unfortunately, the Scarab-Joke Ransomware is no joke, and its attack is guaranteed to cause a lot of damage to the files on the compromised computer. The only surefire way to recover the encrypted files is to restore them from a recent backup. If you are a victim of the Scarab-Joke Ransomware and you do not have a reserve copy of your files, you should proceed to remove the file-locker with the help of a trustworthy anti-malware application, and then see if any 3rd-party data recovery utilities can help you get your files back.

Update February 7th, 2019 - Scarab-nosafe Ransomware

The Scarab-nosafe Ransomware is meant to encrypt the victim’s files, and then extort them for money by promising to provide them with a decryption solution as soon as they transfer a specific amount of Bitcoin to the wallet address of the attacker. It is not disclosed how much money the Scarab-nosafe Ransomware’s authors ask for, but you can rest assured that the sum will be rather pricey, and you should not agree to pay it.

However, dealing with the consequences of a ransomware attack is never an easy task, especially when the files have been encrypted by a popular piece of ransomware that cannot be decrypted for free. If you are a victim of the Scarab-nosafe Ransomware, then you should know that the recovery of your files cannot be completed for free, and the only reliable way to get all of your data back is to restore it from a backup. If this is not an option, then it might be worth to try out 3rd-party data recovery software, but you should know that this method is likely to recover just a small portion of your files.

As the name of this ransomware indicates, it is a member of the Scarab Ransomware family, one of the most prominent file-encryption Trojans that malware researchers have encountered in the past few years. Usually, the operators of this ransomware spread it via phishing emails, which contain a harmful file attachment. If the users download and execute the attachment on an unprotected computer, they may unleash the Scarab-nosafe Ransomware and allow it to encrypt their files unwillingly. All files locked by this ransomware will have the ‘.nosafe’ extension added to their names.

When all suitable files have been encrypted successfully, the Scarab-nosafe Ransomware may drop the ransom note ‘HOW TO RECOVER ENCRYPTED FILES.txt,’ which instructs the victim to contact the attackers by using either nosafe@airmail.cc or nosafe@india.com. They also state that the victims’ data can be recovered only if they agree to pay a ransom sum via Bitcoin.

The advice to the users affected by the Scarab-nosafe Ransomware’s attack is to use a reputable anti-virus application to dispose of the harmful program, and then try out the data recovery options listed above.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



file.exe File name: file.exe
Size: 537.08 KB (537088 bytes)
MD5: 563f66fe907979940b1bec33359f1ab5
Detection count: 86
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%SystemDrive%\Users\<username>\AppData\Roaming\sevnz.exe File name: sevnz.exe
Size: 359.42 KB (359424 bytes)
MD5: b41a3ad2516c846f54416bc9c6dc5679
Detection count: 75
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: October 18, 2017
%APPDATA%\sevnz.exe File name: sevnz.exe
Size: 210.43 KB (210432 bytes)
MD5: 0f34663652bb15d618e9dd40f1f949cf
Detection count: 74
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: October 18, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\sevnz.exe File name: sevnz.exe
Size: 190.46 KB (190464 bytes)
MD5: 65545f2e10359f51f5c3e8312bf5aae8
Detection count: 72
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: October 18, 2017
file.exe File name: file.exe
Size: 669.18 KB (669184 bytes)
MD5: 65fb5232fcb9c3236f26a89774d767b1
Detection count: 54
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: March 6, 2020
bb41f0323bc51d479f1ae4a36321ad0f File name: bb41f0323bc51d479f1ae4a36321ad0f
Size: 423.93 KB (423936 bytes)
MD5: bb41f0323bc51d479f1ae4a36321ad0f
Detection count: 36
Group: Malware file
C:\Users\<username>\AppData\Roaming\Microsoft\file.exe File name: file.exe
Size: 47.1 KB (47104 bytes)
MD5: 0d4e6b84863d2a93542b6e24b6a61d5a
Detection count: 35
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming\Microsoft
Group: Malware file
Last Updated: May 4, 2018
%SystemDrive%\Users\<username>\AppData\Roaming\sevnz.exe File name: sevnz.exe
Size: 302.08 KB (302080 bytes)
MD5: 43001d404e416d986b6e98dd44352e88
Detection count: 26
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: October 18, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\sevnz.exe File name: sevnz.exe
Size: 336.89 KB (336896 bytes)
MD5: aebc5e56f11a26d19617e42542573fda
Detection count: 21
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: October 18, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\sevnz.exe File name: sevnz.exe
Size: 200.7 KB (200704 bytes)
MD5: 9a8d93f5be69b87950ca363d15445890
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: October 18, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\sevnz.exe File name: sevnz.exe
Size: 434.68 KB (434688 bytes)
MD5: 245ba18289ed37db8ea5db39b608aebc
Detection count: 7
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: October 18, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\sevnz.exe File name: sevnz.exe
Size: 361.98 KB (361984 bytes)
MD5: 663ec9b1e4274a4f783b2ccee343f6c5
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: October 18, 2017
%SystemDrive%\Users\<username>\AppData\Roaming\sevnz.exe File name: sevnz.exe
Size: 200.7 KB (200704 bytes)
MD5: 2b35b62331574164b838859a08322be8
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: October 18, 2017
C:\Users\<username>\AppData\Roaming\osk.exe File name: osk.exe
Size: 616.44 KB (616448 bytes)
MD5: e339b602e7ec04db74891c836f39fa95
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: C:\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: March 6, 2020

Registry Modifications

The following newly produced Registry Values are:

Regexp file mask%APPDATA%\bwint.exe%APPDATA%\Microsoft\wxmon.exe%APPDATA%\sevnz.exe

Related Posts

Loading...